grype: False positive CVE-2015-5237 for protobuf-go
What happened:
Our go.mod dependency of google.golang.org/protobuf@v1.27.1 (a.k.a https://github.com/protocolbuffers/protobuf-go) is detected by syft/grype as cpe:2.3:a:google:protobuf:v1.27.1:*:*:*:*:*:*:* and grype matches CVE-2015-5237 based on cpe:2.3:a:google:protobuf:*:*:*:*:*:*:*:* <= 3.1.0 but 1.27.1 is the latest version.
The CVE links to https://github.com/protocolbuffers/protobuf/issues/760 which is a different project (protobuf language spec vs the golang runtime).
What you expected to happen: Distinguish between google.golang.org/protobuf and github.com/protocolbuffers/protobuf
How to reproduce it (as minimally and precisely as possible):
mkdir -p /tmp/gomod/
echo '
module foo
go 1.17
require google.golang.org/protobuf v1.27.1' > /tmp/gomod/go.mod
grype dir:/tmp/gomod
Anything else we need to know?: https://github.com/golang/vuln/blob/master/triaged-cve-list marks CVE-2015-5237 as a false postive - but I’m not sure what package/version that refers to.
Environment:
- Output of
grype version:
Application: grype
Version: 0.27.3
Syft Version: v0.33.0
BuildDate: 2021-12-16T15:11:16Z
GitCommit: 4f964c4ee26ad01a80b8bcffb6bf23c0afb71d09
GitTreeState: clean
Platform: darwin/amd64
GoVersion: go1.16.12
Compiler: gc
Supported DB Schema: 3
- OS (e.g:
cat /etc/os-releaseor similar): MacOS Big Sur 11.6.2
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 15
- Comments: 20 (10 by maintainers)
Commits related to this issue
- Revert "Fix CVE-2015-5237 (#5645)" This reverts commit 3f7c4e9c5e87af7c295bd5a8b55d8744979a42b7. This CVE is a false positive https://github.com/anchore/grype/issues/558 The CVE links to https://gi... — committed to naemono/cloud-on-k8s by naemono 2 years ago
- Revert "Fix CVE-2015-5237 (#5645)" (#5735) This reverts commit 3f7c4e9c5e87af7c295bd5a8b55d8744979a42b7. This CVE is a false positive https://github.com/anchore/grype/issues/558 The CVE links t... — committed to elastic/cloud-on-k8s by naemono 2 years ago
- Revert "Fix CVE-2015-5237 (#5645)" (#5735) This reverts commit 3f7c4e9c5e87af7c295bd5a8b55d8744979a42b7. This CVE is a false positive https://github.com/anchore/grype/issues/558 The CVE links t... — committed to fantapsody/cloud-on-k8s by naemono 2 years ago
you can also control it with env variables if that’s easier for you, example for golang
So what we are planning to do here is to eventually disable CPE-based matching by default. @wagoodman is currently working on getting a quality check implemented within Grype so that on each commit we can understand the difference in detection of false-positives and ensure there aren’t any false-negatives introduced as part of a change. We are also working on bringing in an additional source of vulnerability data from GitLab’s Community Advisory Database to provide additional coverage for some ecosystems (java Maven in particular). We believe that with both of those in place we can safely turn off the CPE-based matching by default without introducing many false-negatives that would have been found by the CPE-based matches and eliminate the flood of false-positives that it generates
is there any update on this. This is still being flagged widely by grype.
This also seems to be a false-positive with https://animal.uk.oracle.com/CVE-2021-22570. Same symptoms. Do we need a separate bug for that?
much appreciated @luhring – I think a hard coded fix for this one is worth it given the number of folks impacted by this. Thanks in advance 🙏 !
Sure @fjammes! We’re still trying to work out where we want to go with CPE generation so it’s not such a moving target where we always see FPS.
In the meantime, if you’re having a current issue where a vuln is blocking your CI, would you be able to use the
Ignorefunctionality listed here.